McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

VBS/Hypoth@MM

This page shows details and results of our analysis on the malware VBS/Hypoth@MM

Threat Detail

Malware Type: Virus

Malware Sub-type: Worm

Discovery Date: 2002-12-03

Next Steps:

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum DAT

4102 (2000-11-01)

Updated DAT

4516 (2005-06-17)

 Minimum Engine

5.1.00

File Length

19,690

Description Added

2002-12-04

Description Modified

2003-02-07

Malware Proliferation

Characteristics

This threat is detected as VBS/Hypoth@MM in 4238 DATs. It is also detected as VBS/Pica.worm.gen in earlier DATs. It may arrive as an email attachment. The virus will determine where it will copy itself according to the windows directory name. If the system directory name is c:\windows\system, the virus will copy itself as Runmsdsk32.vbs and SiteList.vbs into the windows SYSTEM directory. It will then modify the registry setting:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Runmsdsk32" Wscript.exe [windows SYSTEM folder]\Runmsdsk32.vbs %1"

If the system directory name is c:\winnt\system32, the virus will copy itself as Winnt32.vbs into the Windows folder and Jokes.vbs in windows SYSTEM directory. It will then modify the registry setting: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Winnt32" Wscript.exe [windows directory]\Winnt32.vbs %1"

If the system directory name is c:\windows\system32, the virus will copy itself as Confidential.vbs into the windows SYSTEM directory. The worm will also copy itself to either the windows, windows SYSTEM or windows TEMP directory with a random character name. It will then modify the registry setting: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Runxpdsk32" Wscript.exe [random name and directory].vbs %1"

If the system directory name does not match any of the above, the worm will copy itself as Runmnt32.vbs to either the windows, windows SYSTEM or windows TEMP directory. It will also copy itself as HolidayPics.vbs to the windows SYSTEM directory. It will then modify the registry setting: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Runmnt32" Wscript.exe [random folder]/Runmnt32.vbs %1"

The worm will then insert the registry key:
HKEY_CURRENT_USER\Software\Theory\Theory", "VBS/Theory by Zed". Using Outlook it will send an email to all in Addresslist. The following types of email may be sent:

  • Subject:Hey [Recipient name]!
  • Body:[Recipient name]! Get free mp3s from the web site that i go to! I can get almost any music that I want, just look at all the cool sites that I went to in the attachments.Bye
  • Attachment: SiteList.vbs
or
  • Subject:Hello [Recipient name]!
  • Body: Have fun with these great jokes!
  • Attachment: Jokes.vbs
or
  • Subject:Here is that file you wanted,[Recipient name]
  • Body: This is the file you wanted - don't let anyone else see it!
  • Attachment: Confidential.vbs
or
  • Subject:Check this out, [Recipient name]
  • Body: Hello [Recipient name] check out these pictures of my last holiday! Dont get jealous!!
  • Attachment: HolidayPics.vbs
On the 8th of August, the virus will send email out with the following information:
  • Subject:Urgent Update!
  • Body: [Recipient name], Your computer will need this update to protect your computer from new email viruses. I installed this update and it works fine. Thanks.
  • Attachment: One of the following files will be sent: SecurityUpdate.vbs or Update.vbs or UpdateSecurity.vbs or UpdateInstaller.vbs or UpdateSetup.vbs or Readme.vbs

The worm will append its viral code to all .vbs and .vbe files found on all hard drives and network drives. It will also infect all mp3, mp2, mp3, mpg, mpe, mpeg, avi and mov files. It will add a .vbs extension to all these files infected.

Symptoms

One of the above email recieved. The presence of any of the above infected files. All mp3, mp2, mp3, mpg, mpe, mpeg, avi and mov contain a .vbs extension.

Method of Infection

Executing one of the above infected files.

Removal

Use specified engine and DAT files for detection and removal. Delete any file which contains this detection.

Manual Removal Instructions - Simply delete the file(s) mentioned in this description
- Remove any registry key entries if applicable

Using File Filtering with WebShield SMTP for WindowsNT(not applicable for Solaris):
Within the Configuration console select content filtering.
Select Add.
Add a Description for the content filter rule such as VBSBlock.
Select Filter on Attachment File name.
Filter on .vbs
Select OK.

AVERT Recommended Updates:

* Office2000 Updates

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link.
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.

Variants

United States - English